2 comments

[ 113 ms ] story [ 333 ms ] thread
How is authorization handled? Our GraphQL API authenticates on a JSON web token in the Authorization header. Can we be part of the mesh? To support that I suppose a single query might need multiple sets of credentials/tokens.

It seems better to put those in the query itself rather than in request headers. It's easy enough to modify our API to read the token from the query/variables rather than a header. GraphQL Mesh could make a standard schema for that.

It depends, and might be different across APIs. Because OpenAPI spec allow you to use different methods of authentication (general query param, per-endpoint query param or authentication via headers). So if it's per-operation or part of the endpoint, it will be converted into a graphql argument as part of the operation. If it's a general authentication method for the whole OpenAPI file, like with headers, Mesh allow to to configure it as part of your configuration explicitly, or load it from an environment variables, and if it's a dynamic token you can do interpolations like `Authorization: {context.authToken}` and it will take it from the execution context every time.